1. 16 Aug, 2017 3 commits
    • Craig Gallek's avatar
      dsa: fix flow disector null pointer · 7324157b
      Craig Gallek authored
      A recent change to fix up DSA device behavior made the assumption that
      all skbs passing through the flow disector will be associated with a
      device. This does not appear to be a safe assumption.  Syzkaller found
      the crash below by attaching a BPF socket filter that tries to find the
      payload offset of a packet passing between two unix sockets.
      
      kasan: GPF could be caused by NULL-ptr deref or user memory access
      general protection fault: 0000 [#1] SMP KASAN
      Dumping ftrace buffer:
         (ftrace buffer empty)
      Modules linked in:
      CPU: 0 PID: 2940 Comm: syzkaller872007 Not tainted 4.13.0-rc4-next-20170811 #1
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      task: ffff8801d1b425c0 task.stack: ffff8801d0bc0000
      RIP: 0010:__skb_flow_dissect+0xdcd/0x3ae0 net/core/flow_dissector.c:445
      RSP: 0018:ffff8801d0bc7340 EFLAGS: 00010206
      RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
      RDX: 0000000000000060 RSI: ffffffff856dc080 RDI: 0000000000000300
      RBP: ffff8801d0bc7870 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000008 R11: ffffed003a178f1e R12: 0000000000000000
      R13: 0000000000000000 R14: ffffffff856dc080 R15: ffff8801ce223140
      FS:  00000000016ed880(0000) GS:ffff8801dc000000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000000020008000 CR3: 00000001ce22d000 CR4: 00000000001406f0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
       skb_flow_dissect_flow_keys include/linux/skbuff.h:1176 [inline]
       skb_get_poff+0x9a/0x1a0 net/core/flow_dissector.c:1079
       ______skb_get_pay_offset net/core/filter.c:114 [inline]
       __skb_get_pay_offset+0x15/0x20 net/core/filter.c:112
      Code: 80 3c 02 00 44 89 6d 10 0f 85 44 2b 00 00 4d 8b 67 20 48 b8 00 00 00 00 00 fc ff df 49 8d bc 24 00 03 00 00 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 13 2b 00 00 4d 8b a4 24 00 03 00 00 4d 85 e4
      RIP: __skb_flow_dissect+0xdcd/0x3ae0 net/core/flow_dissector.c:445 RSP: ffff8801d0bc7340
      
      Fixes: 43e66528 ("net-next: dsa: fix flow dissection")
      Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Signed-off-by: default avatarCraig Gallek <kraig@google.com>
      Reviewed-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7324157b
    • Ido Schimmel's avatar
      mlxsw: spectrum_router: Use correct config option · df9a21f1
      Ido Schimmel authored
      I made an embarrassing mistake and used 'IPV6' instead of 'CONFIG_IPV6'
      around the function that updates the kernel about IPv6 neighbours
      activity. This can be a problem if the kernel has more neighbours than a
      certain threshold and it starts deleting those that are supposedly
      inactive.
      
      Fixes: b5f3e0d4 ("mlxsw: spectrum_router: Fix build when IPv6 isn't enabled")
      Signed-off-by: default avatarIdo Schimmel <idosch@mellanox.com>
      Signed-off-by: default avatarJiri Pirko <jiri@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      df9a21f1
    • Ido Schimmel's avatar
      ipv6: fib: Provide offload indication using nexthop flags · fe400799
      Ido Schimmel authored
      IPv6 routes currently lack nexthop flags as in IPv4. This has several
      implications.
      
      In the forwarding path, it requires us to check the carrier state of the
      nexthop device and potentially ignore a linkdown route, instead of
      checking for RTNH_F_LINKDOWN.
      
      It also requires capable drivers to use the user facing IPv6-specific
      route flags to provide offload indication, instead of using the nexthop
      flags as in IPv4.
      
      Add nexthop flags to IPv6 routes in the 40 bytes hole and use it to
      provide offload indication instead of the RTF_OFFLOAD flag, which is
      removed while it's still not part of any official kernel release.
      
      In the near future we would like to use the field for the
      RTNH_F_{LINKDOWN,DEAD} flags, but this change is more involved and might
      not be ready in time for the current cycle.
      Signed-off-by: default avatarIdo Schimmel <idosch@mellanox.com>
      Signed-off-by: default avatarJiri Pirko <jiri@mellanox.com>
      Acked-by: default avatarDavid Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fe400799
  2. 15 Aug, 2017 29 commits
  3. 14 Aug, 2017 8 commits